Tuesday, 2022-05-17

*** dviroel\|out is now known as dviroel		11:28
*** blarnath is now known as d34dh0r53		13:13
*** dasm\|off is now known as dasm		13:56
dmendiza[m]	Apologies, but I am double booked today for this time slot	15:01
dmendiza[m]	And I kinda have to pay attention to the other thing. 😅	15:01
dmendiza[m]	Anyone want to chair the meeting? If not we can skip this week.	15:01
knikolla	i'm ok with skipping	15:02
dmendiza[m]	knikolla: ack, sounds good	15:07
dmendiza[m]	knikolla: also, sorry I missed your PM the other day. Hopefully you're at H4 with ous.	15:08
dmendiza[m]	*us	15:08
knikolla	yeah, that's what i booked too. :)	15:16
admiyo	flake8.exceptions.FailedToLoadPlugin: Flake8 failed to load plugin "DOC" due to cannot import name 'Set' from 'collections' (/usr/lib/python3.10/collections/__init__.py)	15:57
admiyo	Fedora 35. Python 3.10	15:58
admiyo	tox -e pep8	15:58
admiyo	wiping /opt/openstack/keystone/.tox/pep8 and trying again same fail	15:58
admiyo	dod pep8 not specify the pythong version?	15:59
*** dviroel is now known as dviroel\|lunch		16:02
*** ricolin_ is now known as ricolin		16:29
shubjer0	Does anyone have any guides for integrating openstack keystone cli + horizon with azure ad?	16:33
shubjer0	I am trying to digest the docs at https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#federation-openidc but I need a bit more handholding	16:34
*** dviroel_ is now known as dviroel		16:52
*** dansmith_ is now known as dansmith		16:55
admiyo	shubjer0, yes	17:29
admiyo	shubjer0, for Azuer AD, what actual protocl do you want to use?	17:30
shubjer0	admiyo: OIDC	17:30
admiyo	OK, so you are doing an OIDC configureation. You are going to end up having to create 3 objest, and to configuyre your web server to do ODIC. Make sense?	17:30
admiyo	THe three objects are the idp, the mapping, and the protocol.	17:31
shubjer0	admiyo: yes	17:31
admiyo	so, the idp will be something like azure	17:31
shubjer0	admiyo: right off the back im supposed to make a identity provider and provide a url but i am not sure what url should be used	17:31
shubjer0	*right off the bat	17:31
shubjer0	the doc example is "openstack identity provider create --remote-id https://samltest.id/saml/idp samltest"	17:32
admiyo	When I start messing with something like this, I usually do something simplified, like a wsge app that just dumps the environment	17:32
admiyo	yeah. I don't eeven know who added remote-id, but I remember it being important, but maybe only if you have multiple providers	17:33
admiyo	lets kip it for now and come back...this stuff is in deep cryo storage in my brain	17:33
admiyo	does it let you skip or is it required?	17:34
admiyo	shubjer0, pretty sure that is a SAML2 requirement, not sure how it maps to OIDCS, I think you can disregard it	17:38
admiyo	Ah wait....	17:39
admiyo	"For an OpenID Connect IdP, it is the Identity Provider's Issuer Identifier. A remote ID must be globally unique: two identity providers cannot be associated with the same remote ID. The remote ID will usually appear as a URN but need not be a resolvable URL."	17:41
admiyo	https://opendev.org/openstack/keystone/src/branch/master/doc/source/admin/federation/configure_federation.rst	17:41
admiyo	shubjer0, do you have that value?	17:42
admiyo	https://opendev.org/openstack/keystone/commit/8e0723200640c340e755790b3d4f5a53a1778902 has a beter blurb	17:42
admiyo	For example, if our identity provider is ``google``, the mapping used is	17:43
admiyo	``google_mapping`` and the protocol is ``oidc``. The identity provider's	17:43
admiyo	remote IDs would be: [``accounts.google.com``].	17:43
admiyo	The `remote_id_attribute` value may be set to ``HTTP_OIDC_ISS``, since	17:43
admiyo	this value will always be ``accounts.google.com``.	17:43
shubjer0	admiyo: yeah i mean i have no idea what to put for remote_id because instructions are not clear	17:43
shubjer0	there's like a dozen 'endpoints' when using azure ad	17:43
shubjer0	maybe it should just be login.microsoftonline.com	17:44
admiyo	probably	17:44
admiyo	" Issuer Identifier"	17:44
admiyo	lets see...	17:44
admiyo	Microsoft usually finds a way to break standards...	17:44
admiyo	Issuer identifier	17:47
admiyo	Verifiable identifier for an issuer. An issuer identifier is a case-sensitive URL that uses the HTTPS scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.	17:47
admiyo	courtesy of IBM	17:47
admiyo	https://www.ibm.com/docs/en/sva/10.0.1?topic=concepts-openid-connect	17:47
admiyo	also in that docuement it states that in a claim you will see an iss field	17:48
admiyo	shubjer0, you are close. Do you have Azure OIDC working outside of Keystone anywhere? If so, see if you can pull a clain from an existing flow	17:49
shubjer0	admiyo: yeah our kubernetes side of our devops team hooked it in pretty easily	17:49
shubjer0	keystone seems a bit more involved	17:50
*** melwitt_ is now known as melwitt		18:08
admiyo	nah...just happened first. Kube got to learn from our mistakes	18:11
*** ianw_ is now known as ianw		19:11
admiyoung	knikolla, ERROR: could not install deps [.[bandit], -chttps://releases.openstack.org/constraints/upper/master, -r/opt/stack/keystone/test-requirements.txt, .[ldap,memcache,mongodb]]; v = InvocationError("/opt/stack/keystone/.tox/pep8/bin/python -m pip install '.[bandit]' -chttps://releases.openstack.org/constraints/upper/master -r/opt/stack/keystone/test-requirements.txt '.[ldap,memcache,mongodb]'", 1) running pep8. Been	19:22
admiyoung	happending for a while. Fedora 35. Any idea?	19:22
admiyoung	pg_config needed...	20:47
admiyoung	sudo dnf install libpq-devel	20:47
*** dasm is now known as dasm\|off		21:49
*** dviroel is now known as dviroe\|out		22:12

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!